- A vulnerability in the UpdraftPlus plugin on Awesome Motive’s marketing server allowed CDN compromise and malicious JavaScript injection
- The malware targeted logged-in WordPress administrators, collecting tokens and creating fraudulent accounts to take full control.
- Site owners are urged to check for fake administrator accounts (‘developer_api1’, ‘dev_xxxxxx’), hidden backdoor plugins, and rotate credentials/security lounges.
More than a million WordPress websites were at risk of being completely taken over, after a vulnerability in a plugin allowed a large-scale supply chain attack. The attack was detected over the weekend by the security team of e-commerce Sansec and later confirmed by the victim company.
According to researchers, hackers found and exploited a vulnerability in the UpdraftPlus WordPress plugin running on a marketing server belonging to Awesome Motive, the company behind several popular WordPress products, including OptinMonster, TrustPulse, and PushEngage.
Although the vulnerable server was not part of the production environment, it stored credentials for the company’s content delivery network (CDN), and by using the stolen CDN API key, attackers were able to modify JavaScript files distributed through Awesome Motive’s CDN.
Address only administrators
The compromised files were later used by OptinMonster, TrustPulse, and PushEngine, meaning the attackers’ JavaScript was delivered to, but not all, visitors.
The malware was only activated when a logged-in WordPress administrator visited an affected site, helping it remain hidden and targeting only high-privileged users. The malicious script then collected admin authentication tokens and WordPress nonces, using them to create new admin accounts.
In the next step, the attackers installed additional malicious plugins, established a command and control infrastructure, and began exfiltrating sensitive data. The malware also enabled web shell functionality, arbitrary PHP code execution, file management functions, and virtually anything else an administrator could do.
Even after Awesome Motive removed the malicious CDN scripts, the attackers retained control of the already compromised websites through malicious administrator accounts and hidden backdoor plugins. Therefore, website owners at risk of takeover should look for fraudulent administrator accounts named ‘developer_api1’ or ‘dev_xxxxxx’, inspect the file system directly in wp-content/plugins for hidden backdoor plugins, and run server-side malware scans.
Additionally, they should rotate admin passwords, API keys, database credentials, and WordPress security items.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
